Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Общие модули

Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files) The module loader can load DLLs: * via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory; * via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension); * via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs; * via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT. Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.

ID: T1129
Тактика(-и): Execution
Платформы: Windows
Источники данных: Module: Module Load, Process: OS API Execution
Версия: 2.1
Дата создания: 31 May 2017
Последнее изменение: 19 Apr 2022

Примеры процедур

Название Описание
gh0st RAT

gh0st RAT can load DLLs into memory.(Citation: Gh0stRAT ATT March 2019)

Hydraq

Hydraq creates a backdoor through which remote attackers can load and call DLL functions.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

PUNCHBUGGY

PUNCHBUGGY can load a DLL using the LoadLibrary API.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Stuxnet

Stuxnet calls LoadLibrary then executes exports from a DLL.(Citation: Symantec W.32 Stuxnet Dossier)

Astaroth

Astaroth uses the LoadLibraryExW() function to load additional modules. (Citation: Cybereason Astaroth Feb 2019)

KillDisk

KillDisk loads and executes functions from a DLL.(Citation: Trend Micro KillDisk 1)

Metamorfo

Metamorfo had used AutoIt to load and execute the DLL payload.(Citation: Fortinet Metamorfo Feb 2020)

DarkWatchman

DarkWatchman can load DLLs.(Citation: Prevailion DarkWatchman 2021)

Attor

Attor's dispatcher can execute additional plugins by loading the respective DLLs.(Citation: ESET Attor Oct 2019)

FoggyWeb

FoggyWeb's loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)

BLINDINGCAN

BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020)

Bumblebee

Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee April 2022)

TajMahal

TajMahal has the ability to inject the LoadLibrary call template DLL into running processes.(Citation: Kaspersky TajMahal April 2019)

BOOSTWRITE

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.(Citation: FireEye FIN7 Oct 2019)

Dtrack

Dtrack contains a function that calls LoadLibrary and GetProcAddress.(Citation: CyberBit Dtrack)

PipeMon

PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.(Citation: ESET PipeMon May 2020)

Контрмеры

Контрмера Описание
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Execution through Module Load Mitigation

Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.

Обнаружение

Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.

Ссылки

  1. Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.
  2. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  3. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  4. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  5. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  6. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  7. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  8. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  9. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  10. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  11. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  12. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  13. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  14. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  15. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  16. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  17. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  18. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

Каталоги